Quick Start instructions to install and configure Istio in a Kubernetes cluster.
The following instructions require you have access to a Kubernetes 1.7.3 or newer cluster with RBAC (Role-Based Access Control) enabled. You will also need
kubectl 1.7.3 or newer installed. If you wish to enable automatic injection of sidecar, you need to turn on Kubernetes alpha features in your cluster.
Note: If you installed Istio 0.1.x, uninstall it completely before installing the newer version (including the Istio sidecar for all Istio enabled application pods).
Install or upgrade the Kubernetes CLI kubectl to match the version supported by your cluster (version 1.7 or later for CRD support).
Depending on your Kubernetes provider:
To install Istio locally, install the latest version of Minikube (version 0.22.1 or later).
<cluster-name> with the name of the cluster you want to use, and
<zone> with the zone where that cluster is located):
gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-name>
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
<cluster-name> with the name of the cluster you want to use):
$(bx cs cluster-config <cluster-name>|grep "export KUBECONFIG")
IBM Cloud Private version 2.1 or later
kubectl CLI based on steps here for how to access the IBM Cloud Private Cluster.
Openshift Origin version 3.7 or later
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z default -n istio-system
oc adm policy add-scc-to-user privileged -z default -n <target-namespace>
Starting with the 0.2 release, Istio is installed in its own
istio-system namespace, and can manage micro-services from all other namespaces.
curl -L https://git.io/getLatestIstio | sh -
.yaml files for Kubernetes in
istioctl client binary in the
istioctl is used when manually injecting Envoy as a sidecar proxy and for creating routing rules and policies.
istio.VERSION configuration file
istioctl client to your PATH. For example, run the following command on a MacOS or Linux system:
a) Install Istio without enabling mutual TLS authentication between sidecars. Choose this option for clusters with existing applications, applications where services with an Istio sidecar need to be able to communicate with other non-Istio Kubernetes services, and applications that use liveliness and readiness probes, headless services, or StatefulSets.
kubectl apply -f install/kubernetes/istio.yaml
b) Install Istio and enable mutual TLS authentication between sidecars.:
kubectl apply -f install/kubernetes/istio-auth.yaml
Both options create the
istio-system namespace along with the required RBAC permissions, and deploy Istio-Pilot, Istio-Mixer, Istio-Ingress, Istio-Egress, and Istio-CA (Certificate Authority).
kubectl apply -f install/kubernetes/istio-initializer.yaml
kubectl get svc -n istio-system
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingress 10.83.245.171 22.214.171.124 80:32730/TCP,443:30574/TCP 5h
istio-pilot 10.83.251.173 <none> 8080/TCP,8081/TCP 5h
istio-mixer 10.83.244.253 <none> 9091/TCP,9094/TCP,42422/TCP 5h
Note: If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the
<pending>. You must access the application using the service NodePort, or use port-forwarding instead.
istio-ca-*, and, optionally,
kubectl get pods -n istio-system
istio-ca-3657790228-j21b9 1/1 Running 0 5h
istio-ingress-1842462111-j3vcs 1/1 Running 0 5h
istio-initializer-184129454-zdgf5 1/1 Running 0 5h
istio-pilot-2275554717-93c43 1/1 Running 0 5h
istio-mixer-2104784889-20rm8 2/2 Running 0 5h
You can now deploy your own application or one of the sample applications provided with the installation like BookInfo. Note: the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.
If you started the Istio-Initializer, as shown above, you can deploy the application directly using
kubectl create. The Istio-Initializer will automatically inject Envoy containers into your application pods:
kubectl create -f <your-app-spec>.yaml
If you do not have the Istio-Initializer installed, you must use istioctl kube-inject to manuallly inject Envoy containers in your application pods before deploying them:
kubectl create -f <(istioctl kube-inject -f <your-app-spec>.yaml)
Uninstall Istio initializer:
If you installed Istio with initializer enabled, uninstall it:
kubectl delete -f install/kubernetes/istio-initializer.yaml
Uninstall Istio core components. For the 0.4 release, the uninstall deletes the RBAC permissions, the
istio-system namespace, and hierarchically all resources under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically.
a) If you installed Istio with mutual TLS authentication disabled:
kubectl delete -f install/kubernetes/istio.yaml
b) If you installed Istio with mutual TLS authentication enabled:
kubectl delete -f install/kubernetes/istio-auth.yaml